Magecart Attacks Grow Rampant in September

guest · Dec 18, 2019

Hunting for Magecart With URLscan.io
December 18, 2019
https://www.securityweek.com/hunting-magecart-urlscanio

Trustwave has now published a how-to guide where anyone -- consumers or small retailers -- can check for the presence of Magecart using the free URLscan.io service. It is not the idea that is new, but the guide. 'Jake' started a Twitter thread titled 'Magecart Hunting Thread' on December 3, 2019:

"This is a thread about how to hunt and find #Magecart infected sites using @URLscan." The Twitter thread is well-suited to tech-savvy threat hunters; the Trustwave blog provides step-by-step instructions for almost anyone.
URLscan provides an automated scan and analysis of websites via standard browsing. It records and displays the activity of the page, including the domains and IP addresses contacted, and the resources -- including scripts -- requested from those domains. While it offers professional commercial services, it also provides a free-to-use Public Scan of specified URLs.

The process described in Trustwave's guide will help consumers (and hunters) to detect infected websites and tell them not to provide any payment details. If the infection is also reported to the website, the website can take the necessary steps to first remove the skimmer, and then harden the site.
Click to expand...

Trustwave - SpiderLabs Blog: Anyone Can Check for Magecart with Just the Browser

guest · Dec 26, 2019

What is Magecart? How this hacker group steals payment card data
December 26, 2019
https://www.csoonline.com/article/3...is-hacker-group-steals-payment-card-data.html

Magecart definition
Magecart is a consortium of malicious hacker groups who target online shopping cart systems, usually the Magento system, to steal customer payment card information. This is known as a supply chain attack. The idea behind these attacks is to compromise a third-party piece of software from a VAR or systems integrator or infect an industrial process unbeknownst to IT.

Shopping carts are attractive targets because they collect payment information from customers: if your malware can tap into this data stream, you have a ready-made card collection tool.
Magecart is known to have been active since 2016 and is quite prolific.
How Magecart works [...]
Click to expand...

guest · Jan 3, 2020

New Magecart skimmers practice steganography, data transfer via WebSocket
January 3, 2020
https://www.scmagazine.com/home/sec...ce-steganography-data-transfer-via-websocket/

A researcher has discovered a pair of new Magecart-style web skimmers, each one featuring an evasion technique that’s not typically employed by this breed of malware: steganography and the transfer a data via the WebSocket protocol.

According to Malwarebytes, the steganography-based skimmer is the first documented skimmer to use this technique, which commonly involves hiding code within harmless-looking imagery.
In a Dec. 26 tweet, @AffableKraut said a colleague of his found the skimmer while searching through SIEM data.

“The skimmer group uploads or modifies an existing image and appends the JS code,” the researcher says. In this case, the image appears to be an innocuous “free shipping” ribbon, which was observed on a shopping site.
“As it happens, the majority of web crawlers and scanners will concentrate on HTML and JavaScript files, and often ignore media files, which tend to be large and slow down processing,” states Malwarebytes Director of Threat Intelligence Jeroma Segura in a company blog post earlier this week. “What better place to sneak in some code?”

But unique to this malicious tool is its ability to use the WebSocket communication protocol to both load payloads and exfiltrate checkout data over a TCP connection.
Click to expand...

Malwarebytes: New evasion techniques found in web skimmers

guest · Jan 7, 2020

MageCart Attackers Steal Card Info from Focus Camera Shoppers
January 7, 2020
https://www.bleepingcomputer.com/ne...s-steal-card-info-from-focus-camera-shoppers/

The website of popular photography and imaging retailer Focus Camera got hacked late last year by MageCart attackers to inject malicious code that stole customer payment card details.
Posing as ZenDesk legitimate domain
To hide the malicious traffic, the attackers registered "zdsassets.com," a domain that resembles ZenDesk's legitimate "zdassets.com."
When analyzing the breach, Hahad found that the attacker modified a JavaScript file to inject an obfuscated payload.

In a blog post today, Hahad says that the MageCart script acted when the customer made a purchase as a guest, without having registered.
After determining that the Focus Camera website had been compromised, Juniper Threat Labs tried to contact the site owners.
Click to expand...

MageCart Skims Credit Cards from FocusCamera.com

guest · Jan 10, 2020

Card-Stealing Scripts Infect Perricone's European Skin Care Sites
January 10, 2020
https://www.bleepingcomputer.com/ne...s-infect-perricones-european-skin-care-sites/

Multiple European websites for the Perricone MD anti-aging skin-care brand have been compromised with scripts that steal customer payment card info when making a purchase.

Two MageCart groups were competing for the credit card data on Perricone MD websites in the U.K., Italy, and Germany, but current evidence shows that only one exfiltrated the details successfully.
Two scripts, one winner
The first malicious script was planted on the Perricone websites more than a year ago, in November 2018. It was supposed to deliver the card data to the attacker's domain but a coding error prevented it from loading.
RapidSpike contacted Perricone MD and disclosed the issues on the websites, also offering their help to fix the problem. However, after the security researchers shared the details, communication stopped.

The malicious code is still present on the three Perricone MD's websites but it does not load for all customers
Perricone MD customers that made a purchase last year should check for irregular card transactions and report any of them to the bank.
Click to expand...

Multiple Hacking Groups Attempt to Skim Credit Cards from Perricone MD

guest · Jan 10, 2020

Australia Bushfire Donors Affected by Credit Card Skimming Attack
January 10, 2020
https://www.bleepingcomputer.com/ne...nors-affected-by-credit-card-skimming-attack/

Attackers have compromised a website collecting donations for the victims of the Australia bushfires and injected a malicious script that steals the payment information of the donors.

The Malwarebytes Threat Intelligence Team has discovered a legitimate web site collecting donations for the tragic bushfires in Australia that has been compromised by a Magecart script.
When a user submits their payment information as part of the checkout process, the malicious script will steal the submitted information and send it to the vamberlo[.]com domain.

As the code is still active on the site, though, it could be modified by the hackers to utilize a new domain that will enable the skimming script again.
Skimmer active on other sites
Using the PublicWWW tool, Troy Mursch of Bad Packets Report has also discovered that this same script is currently active on 39 other web sites
Click to expand...

guest · Jan 20, 2020

Hanna Andersson Data Breach: Hackers Compromise Website of Children's Clothier
Portland, Oregon-based children's clothing maker Hanna Andersson has quietly disclosed a breach to affected customers
January 20, 2020
https://www.securityweek.com/hanna-...hackers-compromise-website-childrens-clothier

The letter, obtained by SecurityWeek, has been sent via postal mail and explains that a third party had gained unauthorized access to customer information entered during online purchases between September 16 and November 11, 2019. This was only discovered after the firm was notified by law enforcement that such a breach had likely happened; although the firm gives no indication of the date they were so informed.

According to the breach notification letter, the "incident potentially involved information submitted during the final purchase process on our website, www.hannaandersson.com, including name, shipping address, billing address, payment card number, CVV code, and expiration date.
There is no indication that these details were encrypted -- indeed, the implication is that they were not.

The Hannah Andersson breach has not been confirmed as a Magecart attack, but such attacks generally involve the insertion of malicious skimmer code into the victim company's payment code.
Click to expand...

Email notifications sent to customers

guest · Jan 23, 2020

Euro Cup and Olympics Ticket Reseller Hit by MageCart
January 23, 2020
https://www.bleepingcomputer.com/ne...and-olympics-ticket-reseller-hit-by-magecart/

Site belonging to a reseller of tickets for Euro Cup and the Tokyo Summer Olympics, two major sports events happening later this year, have been infected with JavaScript that steals payment card details.
On one of the websites, the malicious code survived for at least 50 days, while on the other it lasted for two weeks. If not for the intervention and persistence of two security specialists, the malware would have continued to pilfer card data undetected.
Hiding in a legitimate library
The card skimmer was initially discovered by Jacob Pimental on the secondary ticket market OlympicTickets2020.com. It was hiding in a legitimate library called Slippry (a responsive content slider for jQuery) and activated when the slider loaded.

"The structure of the loader is, aside from the random variable names and script content, exactly the same," Kersten writes in a post today that references the initial analysis.
Click to expand...

Bumpy responsible disclosure
Armed with contact details, the two researchers wanted to share their findings with the owner of the two sites so they could remove the risk.
They tried email communication first but received no reply.

"The second contact via the live chat provided us with the information that the security team could not find anything, after which the case was closed."

Pimental and Kersten warn that shopping at olympictickets2020.com or eurotickets2020.com between December 3, 2019, and January 21, 2020, likely resulted in card data being stolen. Contacting the issuing bank and requesting a card replacement is the recommended action.
Click to expand...

guest · Feb 3, 2020

mood said: ↑

Euro Cup and Olympics Ticket Reseller Hit by MageCart
January 23, 2020
Click to expand...

Magecart group jumps from Olympic ticket website to new wave of e-commerce shops
February 3, 2020
https://www.zdnet.com/article/magec...cket-website-to-new-wave-of-e-commerce-shops/

Last month, security researchers Jacob Pimental and Max Kersten published research on a Magecart infection uncovered at Olympic ticket reseller [...]
In a continuation of the investigation, the duo has uncovered a new swathe of websites that also reference the OpendoorCDN skimmer, and are therefore compromised by the same malicious code, detailed in a blog post on Monday.

The websites infected with the skimmer were contacted, with initial emails sent out on January 27. At the time of writing, titanssports.com.b may still be impacted by the skimmer whereas the others have removed references to the skimmer.
Click to expand...

guest · Feb 6, 2020

mood said: ↑

Hanna Andersson Data Breach: Hackers Compromise Website of Children's Clothier
Portland, Oregon-based children's clothing maker Hanna Andersson has quietly disclosed a breach to affected customers
January 20, 2020
https://www.securityweek.com/hanna-...hackers-compromise-website-childrens-clothier

Email notifications sent to customers
Click to expand...

Salesforce Data Breach Suit Cites California Privacy Law
February 4, 2020
https://news.bloomberglaw.com/priva...data-breach-suit-cites-california-privacy-law

Salesforce.com Inc. and a children’s clothing company face data-breach allegations in a federal court lawsuit that is among the first to cite California’s landmark privacy law since it took effect Jan. 1.

Salesforce and Hanna Andersson failed to protect user data, safeguard platforms or provide cybersecurity warnings, alleges the complaint filed in the U.S. District Court for the Northern District of California.
The actions violated state laws including the California Consumer Privacy Act, plaintiff Bernadette Barnes claims.

California residents can seek up to $750 per consumer, per incident under the state law after a breach for weak data-security protections. That could mean millions of dollars in damages for large data collectors.
Click to expand...

guest · Feb 9, 2020

Magecart Gang Attacks Olympic Ticket Reseller and Survival Food Sites
A recent slew of skimming attacks have been linked back to Magecart Group 12
February 7, 2020
https://threatpost.com/olympic-ticket-survival-sites-hit-by-cyberattack/152648/

A faction of the Magecart threat group, Magecart group 12, has been linked to a recent digital card skimmer attack bent on stealing payment data from a slew of websites, including ones selling anything from Olympic tickets to emergency preparation kits.
Click to expand...

Over the past few weeks, the group has targeted two ticket sales websites – one called Olympic Tickets is a re-seller of tickets to the upcoming 2020 summer Olympic games and the second, Euro 2020 Tickets, is selling tickets for the 2020 UEFA, a European football championship that takes place in June.

“These sites were compromised by a skimmer using the domain OpenDoorCDN.com for data exfiltration,” said Jordan Herman, threat researcher with RiskIQ in a Friday analysis.
The specific group in question, Magecart Group 12, has also been responsible for attacks on a Paris-based advertising company, Adverline.
New Tactics
“In these recent compromises, there is no obfuscated code inserted on the compromised page and no URL check, instead, they opted for a simple, non-obfuscated bit of code on the compromised page which caused the above skimming script to load.”
Click to expand...

guest · Feb 20, 2020

Credit Card Skimmer Found on Nine Sites, Researchers Ignored
February 20, 2020
https://www.bleepingcomputer.com/ne...mmer-found-on-nine-sites-researchers-ignored/

Security researchers discovered a new batch of nine websites infected with malicious JavaScript that steals payment card info from online shoppers.
Some of them were infected a second time and the script persisted, despite efforts from the researchers to contact the website owners.
Code obfuscation does not help
More recent activity linked to this actor was documented by researchers Jacob Pimental and Max Kersten towards the end of January when they published details about two sports events ticket resellers running card skimming code.
Non-responsive victims across the globe
The two researchers found nine websites infected by this particular code and tried to contact all owners about the threat. None of them replied and the latest check showed that the malicious script was still active on all but one.
Below is a list of the compromised sites and the latest known infection status.

The MageCart threat is relentless and as long as there are vulnerable websites, hackers will try to plant a payment card skimmer on it.
Click to expand...

Following the tracks of MageCart 12

This research is a follow up on the two previous articles about MageCart 12. At first, two infected ticket resellers were found, after which multiple other infected websites were caught by Jacob and me. RiskIQ also followed up on our findings with additional research where they found two popular websites to be infected with a credit card skimmer that has been attributed by MageCart 12.
Click to expand...

itman · Feb 21, 2020

mood said: ↑

Credit Card Skimmer Found on Nine Sites, Researchers Ignored
February 20, 2020
https://www.bleepingcomputer.com/ne...mmer-found-on-nine-sites-researchers-ignored/
Click to expand...

@Rasheed187 this posting is for you since you seemed obsessed with web site credit card skimmers.

Per the linked article, picked one of the infected sites - Bahimi swimwear shop - first infected in November, 2019, the skimmer is still there today.

Attempted to order something here: https://bahimi.com/gbp/checkout/onepage/ .

Eset immediately detected the card skimmer:

So get yourself a top rated AV solution and you can put your worries to rest.

-EDIT- Note that if your using an AV solution that does not use SSL/TLS protocol scanning, it won't protect your against these attacks since most are Javascript based. Additionally, browser noscript option is N/A since most payment web pages require Javascript to function properly.

guest · Feb 25, 2020

mood said: ↑

Credit Card Skimmer Found on Nine Sites, Researchers Ignored
February 20, 2020
https://www.bleepingcomputer.com/ne...mmer-found-on-nine-sites-researchers-ignored/

Following the tracks of MageCart 12
Click to expand...

Credit Card Skimmer Running on 13 Sites, Despite Notification
February 25, 2020
https://www.bleepingcomputer.com/ne...mer-running-on-13-sites-despite-notification/

The tally of shopping websites infected by MageCart Group 12 with JavaScript that steals payment card info is seeing a sharp increase. Nearly 40 new victims have been discovered.
Some of them were compromised as early as September 30, 2019, allowing attackers to collect payment card info for more than four months.
No reply, as usual
In a blog post today, Kersten publishes infection dates for nearly 40 new websites. Although notified of the compromise, 13 of them continued to load the malicious JavaScript in the early hours of February 25 (CET).
Just like in the case of previous research, there was no reply from the website owners. A few victims have removed the bad script after February 21, likely after getting Kersten's memo.
Slight changes, long list of victims
A list of sites infected by MageCart Group 12 is available below. [...]
Click to expand...

Closing in on MageCart 12

guest · Feb 26, 2020

18 Sniffers Steal Payment Card Data from Print Store Customers
February 26, 2020
https://www.bleepingcomputer.com/ne...payment-card-data-from-print-store-customers/

For the past 30 months, an online printing platform with a cover store for well-known magazines has been constantly infected with malicious scripts that steal customer payment card data.

At least 18 skimmers or sniffers - scripts that copy credit card info at checkout, were identified since August 2017 on Reprint Mint photo store that prints covers of ESPN sports magazine and of the American military publication Stars and Stripes.
MageCart sniffer overload
On some occasions, more than one skimmer was active at the same time, indicating that multiple attackers had compromised the site and were receiving the pilfered card info.

Sanguine Security, a company specialized in online store fraud protection, says that the first skimmer they noticed on Reprint Mint ran for a year and a half without drawing attention.
New sniffers were planted starting January 23, 2020, with number five being a constant, regardless of the rivals swooping in. Sanguine Security informs that it was still present on Wednesday, despite multiple attempts to reach out to the printing platform. BleepingComputer could confirm that the two scripts are active at the moment of writing.
Click to expand...

Sanguine Security: Sanguine reveals longest Magecart skimming operation to date [Analysis]

guest · Feb 27, 2020

mood said: ↑

Magecart skimmers found on Amazon CloudFront CDN
June 4, 2019
https://blog.malwarebytes.com/threa...cart-skimmers-found-on-amazon-cloudfront-cdn/
Click to expand...

Fake CDNs obscuring credit card fraudsters
Fake content delivery networks and ngrok servers are being pressed into service to obscure credit card skimming activities
February 26, 2020
https://www.computerweekly.com/news/252479199/Fake-CDNs-obscuring-credit-card-fraudsters

Cyber criminals are attempting to steal the personal details of online shoppers without being spotted by disguising credit card skimmers behind fake content delivery networks (CDNs), in a new technique uncovered and described by Malwarebytes researcher Jérôme Segura, who identified suspicious code lurking on the website of a popular French boutique.

“Using lookalike domains is nothing new among malware authors. One trend we see a fair bit with web skimmers in particular is domains that mimic Google Analytics. Practically all websites use this service for their ranking and statistics, so it makes for very credible copycats.
“Oddly, the crooks decided to use a local web server exposed to the internet via the free ngrok service to collect the stolen data. This combination of tricks and technologies shows us that fraudsters can devise very customised schemes in an attempt to evade detection,” said Segura.

Once collected, the skimmer exfiltrates data to another location, although Segura actually found this to be an intermediary – a simple redirect revealed the actual destination, a custom ngrok server.
Click to expand...

Malwarebytes: Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server

guest · Mar 9, 2020

Focus on the client-side to protect your company from Magecart attacks
The 3 steps required to shield your company from a Magecart attack
March 9, 2020
https://thenextweb.com/growth-quart...o-protect-your-company-from-magecart-attacks/

Gaining mainstream media attention over the last year or so, their most recent high profile attack was on photography retailer, Focus Camera.
Focus Camera just added their name to the growing list of well-known organizations that have fallen victim to similar attacks (British Airways, Newegg, Macy’s) during the last year, with hundreds of thousands of customers typically having their card details stolen.

The Magecart credit card skimming approach is often to insert the malicious skimmer’s code into their target’s third-party providers (which has come to be known as web-based supply chain attacks).
In this way, a company’s website or web app has become the perfect stage from where to steal customer data.

So what can organizations do then in the face of such large-scale attacks with such far-reaching consequences?
Click to expand...

guest · Mar 13, 2020

Why CSP Isn’t Enough to Stop Magecart-Like Attacks
March 11, 2020
https://stewilliams.com/why-csp-isnt-enough-to-stop-magecart-like-attacks/

As Magecart and formjacking attacks become more sophisticated, it’s essential to address not only what services may interact with users, but what that interaction looks like and how to control it.

Most, if not all, of the Magecart-style attacks started from a trusted domain, a third party, or the actual website domain. The British Airways attack started from its own domain, while Delta Airlines, Best Buy, Sears, and others started from trusted third-party domains.
CSP can be used to effectively prevent certain types of client-side attacks. In cases where external resources can be mapped beforehand, thoroughly investigated for malicious code, and be kept up to date through future releases, CSP can be a useful component of an overall anti-Magecart strategy.

However, there are a few issues that show the disadvantages of CSP. Here are three of its biggest problems, as well as a few tips about how to address them.
Click to expand...

guest · Mar 18, 2020

Magecart Cyberattack Targets NutriBullet Website
March 18, 2020
https://threatpost.com/magecart-cyberattack-targets-nutribullet-website/153855/

A faction under the Magecart umbrella, Magecart Group 8, targeted the website of the blender manufacturer, NutriBullet, in an attempt to steal the payment-card data of its online customers.

Yonathan Klijnsma, threat researcher with RiskIQ, said in a Wednesday post that a JavaScript web skimmer code was first inserted on the website of the blender retailer (nutribullet.com) on Feb. 20, specifically targeting the website’s checkout page, where customers input their payment information. As of Tuesday, NutriBullet said that they have removed the malicious code.

“NutriBullet takes cybersecurity and personal privacy extremely seriously and is dedicated to the protection of our customers,” NutriBullet said in a statement to Threatpost. “
Magecart Threat
Researchers said they are familiar with the specific skimmer code used in this incident, as it has been used at least since 2018 by Group 8 – the Magecart group responsible for previous attacks on bedding and pillow manufacturers Amerisleep and MyPillow, as well as Philippine broadcast company ABS-CBN.
Click to expand...

RiskIQ: Magecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims

guest · Mar 18, 2020

How to deal with BEC attacks
Companies worldwide regularly fall victim to business e-mail compromise attacks. We explain the danger and how to minimize it
March 17, 2020
https://www.kaspersky.com/blog/what-is-bec-attack/34135/

Cybercriminals are constantly on the lookout for new ways to attack companies. In the past few years, they have increasingly resorted to business e-mail compromise (BEC) attacks that target corporate correspondence.

Although BEC attempts often employ phishing-style tricks, the attack is somewhat more sophisticated, with one foot in technological expertise and the other in social engineering. Moreover, the techniques used are one-of-a-kind: The messages contain no malicious links or attachments, but the attackers try to trick the mail client, and thus the recipient, into considering the e-mail legitimate. It’s social engineering that has the starring role.
Common BEC-attack scenarios
Quite a few BEC-attack scenarios already exist, but cybercriminals are forever inventing new ones. According to our observations, most cases are reducible to one of four variants: [...]
Click to expand...

guest · Mar 19, 2020

More Business Websites Hit by Credit-card Skimming Malware
March 19 , 2020
https://businessinsights.bitdefender.com/business-websites-hit-credit-card-skimming-malware

In the last few days it has come to light that blender manufacturer NutriBullet and guitar tuition website Truefire fell foul of hackers who planted Magecart-style malicious code on their sites which went undetected for months, stealing the credit card details and personal information from users.

The attacks on NutriBullet and Truefire are, I'm afraid, only the tip of the iceberg.
Just last week, security researcher Jacob Pimental warned of 60 ecommerce sites that had been recently found to have fallen foul of Magecart.

What you don’t normally see in a data breach, however, is full payment card information stolen - – such as your CVV security code - because most companies simply do not store such details.
That's what makes Magecart so dangerous. Magecart's malicious Javascript skims credit card details and personal information as it is entered by users on websites.
Click to expand...

Companies whose customers have been impacted by past Magecart attacks, including Ticketmaster, British Airways, Feedify, Umbro, Vision Direct, Newegg, Sweaty Betty, SHEIN, the American Cancer Society… and many many more.
While the attacks continue to successfully steal users' sensitive and easily-monetised data via company websites there is no prospect of the criminals behind them stopping any time soon.
Click to expand...

Rasheed187 · Mar 21, 2020

mood said: ↑

More Business Websites Hit by Credit-card Skimming Malware
March 19 , 2020
https://businessinsights.bitdefender.com/business-websites-hit-credit-card-skimming-malware
Click to expand...

I already gave a solution to this website skimming problem. Switch to a system like iDeal or PayPal, seriously this is so stupid. Aren't creditcard companies ashamed of themselves?

guest · Mar 25, 2020

This Household Brand’s Been Hacked and is Ignoring Warnings: Credit Card Skimmer STILL Running
March 25, 2020
https://www.cbronline.com/news/tupperware-hacked-card-skimmer

Malicious code injected into the websites of household brand Tupperware is stealing customers’ credit card details – and a full five days after the company was first contacted about the Magecart-style attack by an established security firm, it has not responded, meaning the threat is still live and shoppers remain at risk.

Santa Clara-based Malwarebytes first identified the attack on March 20. It immediately attempted to notify Tupperware (which sees close to a million page visits a month) of the issue via multiple channels, but said it has failed to rouse a response. Malwarebytes believes the skimmer to have been in place since around March 9, 2020.
When reached by Computer Business Review, Tupperware’s VP of Investor Relations, Jane Garrard said “we are following up internally to evaluate the situation”.
Tupperware Hacked: What’s Happened?
The cyber criminals involved have hidden malicious code within an image file that activates a fraudulent payment form during the checkout process. This form collects customer payment data via a digital credit card skimmer and passes it on to the cybercriminals with Tupperware shoppers none-the-wiser.
Click to expand...

Code embedded in a PNG image is responsible for loading the rogue iframe at the checkout page.

Malwarebytes noted that it was not clear how the malicious PNG image is loaded, but “a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.” (Magento is owned by Adobe).
“Our decision to go public is to ensure that the problem is being looked at in a timely manner to protect online shoppers”.
Click to expand...

Malwarebytes: Criminals hack Tupperware website with credit card skimmer

guest · Apr 2, 2020

Emerging MakeFrame Skimmer from Magecart Sets Sights on SMBs
...claiming 19 sites so far
April 2, 2020
https://threatpost.com/emerging-makeframe-skimmer-magecart-smbs/154374/

Researchers have observed a new skimmer from the prolific Magecart Group that has been actively harvesting payment-card data from 19 different victim websites, mainly belonging to small- and medium-sized businesses (SMBs), for several months.

RiskIQ researchers first discovered the skimmer, dubbed MakeFrame for its use of iframes to skim data, on Jan. 24. Since then, they’ve captured several different versions of the skimmer with “various levels of obfuscation,” researchers Jordan Herman and Mia Ihm wrote in a blog post published Thursday.

“This version of the skimmer is the classic Magecart blob of hex-encoded terms and obfuscated code,” Herman and Ihn wrote. “It is nestled in amongst benign code to blend in and avoid detection.”
MakeFrame also leeches off the compromised site for its functionality, a technique that in particular alerted researchers that MakeFrame is most likely the work of Magecart Group 7. And, targeting SMB sites, as MakeFrame does, also is indicative of Magecart Group 7 activity, researchers said.
Click to expand...

The latest skimmer uncovered by RiskIQ shows the group’s “continued evolution, honing tried-and-true techniques and developing new ones all the time,” researchers wrote.

“RiskIQ data shows Magecart attacks have grown 20 percent amid the COVID-19 pandemic,” Herman and Ihm wrote. “With many home-bound people forced to purchase what they need online, the digital-skimming threat to e-commerce is as pronounced as ever.”
Click to expand...

RiskIQ: MakeFrame: Magecart Group 7’s Latest Skimmer Has Claimed 19 Victim Sites

guest · Apr 17, 2020

Magecart gang bypasses iframe protection on hosted payment site
April 16, 2020
https://portswigger.net/daily-swig/magecart-gang-bypasses-iframe-protection-on-hosted-payment-site

The comforting notion that payment services hosted within iframes offer an effective defense against Magecart attacks has been shaken.
Security researchers at PerimeterX discovered that some cybercriminals have started using a technique capable of bypassing the protection offered by iframes, which are used to embed HTML documents within another.

In practical terms, online retailers outsource the management of payments by integrating third-party payment scripts that are hosted within an iframe on the checkout page.

“The iframe which is sourced from the payment provider receives the credit card number, CVV, and expiration date in a protected scope, in which the browser enforces a data access restriction as part of its Same Origin Policy (SOP) security mechanism,” PerimeterX explains.
The approach helps to protect payment forms from Magecart and other digital skimming attacks – or so we’ve hoped.
Click to expand...

Saturn runs rings around Braintree
One Magecart group tracked by PerimeterX has been hard at work attempting to break the iframe protection on websites using popular payment services including PayPal-subsidiary Braintree, Worldpay, and Stripe.

“They have been successful in one instance with a website using Braintree,” according to PerimeterX.
In a technical blog post, PerimeterX explains how by bypassing client-side validation, the browser now loads the iframe from a domain the attacker controls.

“This stealthy attack technique gives no indication of compromise to the user or the website admin, enabling the skimming to persist on checkout pages for a long time,” PerimeterX warns.
Click to expand...

PerimeterX: New Stealth Magecart Attack Bypasses Payment Services Using Iframes

Log in or Sign up

Magecart Attacks Grow Rampant in September

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

itman Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Rasheed187 Registered Member

guest Guest

guest Guest

guest Guest

Log in or Sign up

Magecart Attacks Grow Rampant in September

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

itman Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Rasheed187 Registered Member

guest Guest

guest Guest

guest Guest

Useful Searches